Organizational Security Policies Who can access which resources in what manner? Security policy - high-level management document that informs all users of the goals and constraints on using a system.
Security Policies Purpose Recognize sensitive information assets Clarify security responsibilities Promote awareness for existing employees Guide new employees
Security Policies Audience Users Owners Beneficiaries Balance Among All Parties
Contents Purpose Protected Resources (what - asset list) Nature of the Protection (who and how)
Characteristics of a Good Security Policy Coverage (comprehensive) Durability Realism Usefulness Examples
Physical Security Natural Disasters FloodFlood FireFire OtherOther Power Loss UPS; surge suppressors (line conditioners)UPS; surge suppressors (line conditioners) Human Vandals Unauthorized Access and UseUnauthorized Access and Use TheftTheft
Physical Security Interception of Sensitive Information Dumpster Diving - ShreddingDumpster Diving - Shredding Remanence (slack bits)Remanence (slack bits) Overwriting Magnetic Data DiskWipe Degaussing Emanation - TempestEmanation - Tempest
Contingency Planning BACKUP!!!!! Complete backupComplete backup Revolving backupRevolving backup Selective backupSelective backup OFFSITE BACKUP!!!!! Networked Storage (SAN) Cold site (shell) Hot site